Thoughts on Security in the Time of the Cloud

Recently, I attended a presentation about some security products that can be used in the Cloud by a big vendor. I will not mention the name of the vendor intentionally, because the products are great, the way that they were presented is what drew my attention.

So, the presentation started with some statements, most of which were absolutely not true, but one was the best – that there is no security in the Cloud! The whole idea was that the customer must know that there is no security what so ever in the Cloud and, of course, here comes the security product which will save the day!

After I heard that nonsense, I decided to put something together for the Fast Lane blog.

Security is a very complex topic and there is not a single way of approaching it. But the most important principle when it comes to security is to find the right balance- the balance between functionality and security! That’s why when we start to build security for our data centers we look at all the requirements that come from the applications, the users, the management. We try to protect the different types of access, the different application protocols, the servers, the infrastructure, etc. In other words, we have to deploy multiple layers of security to deal with these challenges. And this also means that we need to work with multiple security applications and appliances. But, at the end of the day, we slowly build the whole security solution, or security stack, that we need to protect our data center. We deploy the firewalls, the VPN concentrators, the intrusion prevention systems, the next generation firewalls, the web application firewalls, the authentication and authorization infrastructure, the monitoring, etc. What I want to say is, that when we build our data centers, we do not have any security! We have to take care of it and deploy a complex, multi-layered security solution that we have designed and put together!

What is different about the Cloud and security in it?

Well, it depends on which cloud we discuss.

The private cloud is basically our data center, which operates with the needed levels of automation, virtualization and orchestration, to provide us with the needed flexibility to offer cloud services. In this case, it’s all about the security that we have in our data center. We are in control, we own and manage it. But we must also take into account that there are additional components for the orchestration and the automation and that we will offer services to the end users, so we need to make sure that we have the needed security for these services.

The public cloud. Well, we do not have full control there. The infrastructure is owned and managed by the cloud provider. Think about being able to use some physical infrastructure, but you don’t have to worry about the physical installation, power, cooling, and connectivity. OK, we can work with that. But after that, when we spin off a virtual machine, or a whole environment in the public cloud, we also have to take care of the security stack! Just like with our own data center! Depending on the resources that we want to use, the requirements of the applications, end users, the management (you see, the same as the data center), we have to plan which firewalls to deploy and how to configure them. What VPN access to allow, and what public access to allow. Do we need to take care to protect our applications running in the cloud with web application firewalls, or not? And there are security products and solutions which we can use for this, which are provided by the cloud providers and their partners.

With the hybrid cloud we have one additional major security concern – the secure connectivity and data exchange between the private and the public clouds! There are solutions that we can use for this, but it is more important to realize that we have to solve this problem, too.

What I want to say is, that it is our responsibility to build the security solution, which will protect the applications that we run in the Cloud. And we have all the tools to do it!

Once again, in this situation knowledge is crucial. That’s why you have at your disposal the learning partners – Fast Lane can help with in-depth training for a wide variety of security solutions:

MS Azure security solutions

AWS security solutions

Cisco Cloud security – Cisco Umbrella, CloudLock, CloudCenter

VMware security

Barracuda, etc.

Interested in Azure Security? Check out Fast Lane's exclusive Azure Security Bootcamp 3 day course where you'll learn about protecting users, email and documents as well as managing the overall security solution. Students leave this course with a deeper understanding of the issues and threats and fully prepared to take on these challenges.